535 Connecticut Ave. Suite 104
Norwalk, CT 06854
Empire State Building
350 Fifth Avenue, 59th fl.
New York City, NY 10118

Featured Article

January 17, 2019

21M Passwords Leaked in Collection 1 to Wreak Corporate Cybersecurity Havoc

Executives need to be aware of cybersecurity risks and take the precautions needed to ensure business can continue operating in light of this historic new threat.

The sad fact is many people use the same or similar passwords across accounts. This presents a terrible challenge for enterprise cybersecurity as the weakest cybersecurity leak in organizations is the intersection of employees and the services they use. To take a common example – if your employees have Yahoo accounts and use similar or the same passwords in your organization – and they haven’t been changed, and Yahoo has been hacked (which it was) then your company could be at substantial risk.

Hackers have gotten infinitely more creative in their approaches. One of the more devious schemes we have seen is where they hack a corporate email account and monitor it over time. When the account in question is supposed to send information related to a wire transfer, the hacker intercedes, providing their bank account information. When this is done, the challenge becomes who is liable. A customer who is duped in this manner doesn’t want to pay again and the company won’t deliver service as a result.

In other words – in such a hacking situation, both companies not only lost out on revenue or service but will now incur the business disruption of legal proceedings.

The cybersecurity situation was already bad but in what is being called the mother of all breaches – 772,904,991 unique emails and 21,222,975 unique passwords have just been discovered on hacker forums.

What is called credential stuffing attacks will now be more lucrative and successful as ever.

According to Troy Hunt who broke this news:

In total, there are 1,160,253,228 unique combinations of email addresses and passwords. This is when treating the password as case sensitive but the email address as not case sensitive. This also includes some junk because hackers being hackers, they don't always neatly format their data dumps into an easily consumable fashion. (I found a combination of different delimiter types including colons, semicolons, spaces and indeed a combination of different file types such as delimited text files, files containing SQL statements and other compressed archives.)

The data was also in broad circulation based on the number of people that contacted me privately about it and the fact that it was published to a well-known public forum. In terms of the risk this presents, more people with the data obviously increases the likelihood that it'll be used for malicious purposes.

Obviously changing passwords is critical at this point. Others recommend using a passwords manager as well but this can create thorny issues as well since these managers have been hacked in the past.

The sheer volume of this data means there will be even more breaches this year as we all know most people will not update their corporate or other passwords as a result of this news.

Executives need to be aware of cybersecurity risks and take the precautions needed to ensure business can continue operating in light of this historic new threat.


 



Related Articles